Category Archives: Security

There is no doubt that information security is one of the main objectives of every organization that rely on an ICT infrastructure. For some organizations, the task of maintaining information security is assigned to dedicated teams not concerned with keeping the network up and running or delivering IT services. However, it is crucial that the network, IT, and security teams collaborate to protect the organization’s information assets. One area where the ICT team can support the security team is by implementing proper network management functions.

Network management best practices require following the ISO Telecommunications Management Network (TMN) framework. This framework splits the network management functions into five key areas referred to by the acronym FCAPS. It can be argued that, efficient information security starts after the five functions are put in place and used properly. To elaborate, here are some of the areas where the FCAPS play vital roles in securing the data assets of the organization:

Fault Management Functions

Active/Passive Monitoring

Organizations’ security concerns are often focused on protecting their data and ensuring its integrity and confidentiality. Availability of the service provided by the IT infrastructure is also an important aspect of information security as cyber attacks may target the infrastructure by denial of services (DoS) attacks in an attempt to prevent the organization from conducting its normal operations. For instance, a DoS attack may aim at preventing the organization from collecting toll fees and generating revenue.

Fault Alerts

Active and passive monitoring of network devices or network services (such as the organization online sales portal) for continued activity will provide the network administrators with alerts when these devices or services stop functioning properly. Whether the outage is caused by a malfunction or a cyber attack, restoring the services and resuming normal operations is the responsibility of both network management and information security roles.

Configuration Management Functions

Information security relies on Configuration Management in many aspects, including configuration monitoring, change‐control, and auditing. For example, the organization can use the following configuration management functions within the information security context:

Topology Discovery

Topology discovery and device inventory tools will be able to detect devices that are connected to the network without authorization. As the organization’s infrastructure covers a large area, this capability is necessary to enforce change management controls as well as detecting malicious attempts to infiltrate the infrastructure through devices located in remote areas.

Configuration Audit

Regular configuration audit provides the ability to detect any change to the configuration that may weaken network security. As many organizations rely on various contractors to provide technical services and support, the ability to detect and track configuration change in network devices made by contractors will provide the means to assess the change from the security point of view by the organization staff. Also, if an attacker manages to break into the network and change device configuration to pursue an advanced attack, a comparison with older configuration will detect the change and recover from the attack by restoring the proper configuration.

Equipment Hardening

Equipment hardening is basic best practice that the organization should follow to maintain network security. The practice includes restricting physical and logical access to the network infrastructure to authorized personnel, disabling protocols that are not needed or are considered unsecure (such as http and telnet) and shutting down unused ports to prevent unauthorized access. Security protocol (e.g. 802.1X) can be implemented to limit wired and wireless access to only devices with known MAC addresses.

Accounting Management Functions

Although accounting management functions are largely ignored in organizations that do not track usage or charge fees for using ICT resources, tracking these resources may serve security purposes. Restricting and monitoring resource usage by quotas (such as disk space) can protect the organization from the abuse of these resources by employees or outsiders who manage to gain access to these resources.

Performance Management Functions

Performance monitoring tools can gather information to satisfy security and compliance requirements. Performance analysis tools can generate security reports directly or export the data to a dedicated security tools for further analysis and reporting. Network management teams can use performance monitoring to support information security in these areas:

Utilization Monitoring

Monitoring the utilization of certain resources or some events (Internet bandwidth, disk space, number of failed login attempts, etc.) and setting thresholds for normal values can assist in identifying security incidents. Sudden surge in Internet traffic may signal that an upload of large amount of data is in progress, or the onset of distributed denial of service attack (DDoS).

Event Correlation

Correlating traffic anomalies and other events to detect security incidents is a function that sophisticated security tools provide. Similar results are also possible using performance management tools that use trend monitoring and correlation functions to detect and isolate network problems. For instance, a surge in upstream traffic that is accompanied by a drop in failed login attempts could be a sign that an attacker is successful in gaining access to the network.

Traffic Analysis

Awareness of the type of data traffic flowing in and out of the network can be gained by using protocols such as NetFlow (or IPFIX) and its analysis tools. NetFlow provides the security administrator with information such as main traffic sources and destinations of traffic, protocols and applications. This information will provide clues about suspicious activity such as traffic going to uncommon destinations as a result of various infections or “botnets”.

Security Management Functions

The ‘S’ in the FCAPS model focuses in securing the network infrastructure and controlling access to devices. To achieve the goal of securing access to the ICT assets, the organization needs:

Centralized Authentication

Controlling access to devices in the infrastructure using a centralized authentication server (e.g. RADIUS). Such service allows the network manager to create access policies based on user profiles and track usage.

Multitier Access Privileges

Developing different access and authorization levels for various groups of users who may need access to the infrastructure (network administrators, engineers, operations, security personnel, vendors, contractors, etc.)

Access Logging

Configuring and feeding device-generated logs to a centralized server. In addition to their value in troubleshooting problems, the logs can be used to detect anomalous behavior that can be a symptom of a malicious security attack.

Conclusions

There are several ways by which the implementation of network management’s FCAPs can support the objectives of information security. For this reason, network management and security should be treated as two complementary functions in an organization. In fact, for many SMB organizations, there can be only one ICT team and information security must begin with proper network management.

Your organization’s firewall is the first line-of-defense against cyber-attacks and it is where the implementation of the access policies takes place. In a typical organization firewall policies are constantly changing to respond to various threats and adapt to changes in the network environment. Therefore, regular audit of the firewall rules is necessary, not only to maintain the security of the network, but also to ensure the correct and optimal functioning of the firewall as policy rules continue to grow more granular and complex.

Such firewall audit should look for some common problems that result from frequent changes to firewall policies and provide recommendation on how to correct them. Among the common problems to watch for are:

Excessively permissive rules: Rules that use “any” or “*” in one or more of its fields permit more packets than what is required for the network operations. These rules increase the risk of exploitation.

Redundant rules: A rule is redundant if there is another (prior or subsequent) rule that matches the same packets and requires the same action such that if the redundant rule is removed, the security policy will not be affected. Redundant rules enlarge the size of the security policy unnecessarily and degrade the firewall’s performance.

Shadowed rules: This situation occurs when a rule matches all the packets that subsequent rules should match but with a different action. Shadowed rules are problematic because they are never activated, resulting in an incorrect implementation of the security policy.

Unused rules: This includes rules that have not matched any packets for a significant period of time. They are often caused by a change in the network or the applications that is not reflected in the firewall policy. These rules clutter the firewall policy and decrease performance. They also slow policy maintenance and hinder troubleshooting problems.

Disabled rules: These are rules that are marked as inactive of disabled but are not yet removed from the policy. Unless they are kept for a good reason, disabled rules increase the clutter and memory usage.

The sound practice is to perform regular audits (e.g. twice a year) to clean up all redundant, unused, and disabled rules that may have been caused by removing services that are no longer exist, temporary exceptions, network upgraded, mergers and so on. It is also extremely important to find and correct shadowed rules and restrict the wide open rule rules to improve security and adhere to the organizations security policy.

Manual audit of firewall policy rules is tedious and error prone. It also adds significant load to the network administrators. Yet, the audit is necessary or even mandated for compliance purposes. To overcome these challenges, some automation of the audit process can reduce complexity and achieve significant performance improvements.

At DynamikNets, we have developed the tools to automate firewall policy audits and recommend improvements. The tools inspect firewall configurations from major vendors and identify rule anomalies and other problems. Combined with manual review of other firewall data, we are able to provide our customers with comprehensive recommendations of the changes that need to be made to the firewall rules to optimize performance.

To learn more about DynamikNets firewall policy auditing capabilities and services, please contact us. Also, please tell us more about your firewall audit practices by answering an anonymous survey.